Fortigate NSE 4 6.2 Security
Upgrade firmware process
1. Backup configuration 2. Download a copy of the current firmware (Incase you need to go back) 3. Physically connect to console 4. Read release notes for the upgrade path 5. Perform upgrade
What do you do if the security fabric fortigates have a synching conflict
1. Click open synchronization wizard in the yellow error text box 2. Check which fortigate is out of synch and click next 3. See the issue and click resolve conflicts 4. There will be both an automatic and manual resolution option Done
Downgrade firmware process
1. Get the pre upgrade configuration file 2. Download a copy of the current firmware 3 physically connect to console port 4 read release notes to see if downgrade preserves configuration 5 downgrade 6 upload the matching configuration if needed
What is default management IP on fortigate
192.168.1.99
EIGRP administrative distance
90
What can you do if you want to list CLI commands
<command set> ?
What are interface aliases
A description for the interface
Aside from password what else can admins use to authenticate
A digital certificate Or Fortigate can query an authentication server
Fortinet security fabric
A fortinet solution that enables the communication and visibility between devices of your network Connects fortinet devices and enables a single pane of glass view. Devices are integrated onto a single console for management and security. All devices will be connected in the fabric so there is less security issues that come with multiple vendors. Security fabric allows visibility into the network
What is dangerous about SSL
A virus can pass through SSL unless full (deep)SSL inspection is enabled
What fortigate solution enhances performance and reduces latency for specific features and traffic
Acceleration hardware called SPU
What happens when the fortigate synch in the security fabric
Addresses, services, and schedules are synced
What is REST API Admin for
Adds an administrative user who will use a custom application to access the fortigate with a REST API
Default user and pass
Admin Blank
How to back up configuration
Admin profile > configuration > backup
Two device identification techniques
Agentless and agent (forticlient)
What is the allow concurrent session setting in the system settings
Allows multiple sessions in GUI and or CLI and prevents accidentally overriding settings
What is a requirement to use interfaces on fortigate (policies, routes etc)
An IP address
EIGRP (Enhanced Interior Gateway Routing Protocol)
An advanced distance vector protocol used to advertise routes between routers Metric value- bandwidth, load, delay, reliability, and MTU (Default are bandwidth and delay)
How can you configure fortigate as a DHCP server
At the interface level Network > interfaces > dhcp on
Once the root and downstream fortigates are configured for the security fabric what is needed to finalize the connection
Authorizing the downstream FortiGate's on the root fortigate and in fortianalyzer submit the final authorization
Administration methods for fortigate
CLI and GUI
What's two of the first things you need to do when login in fortigate for first time
Change default password and create administrator accounts
What is enabled on the mid-high range FortiGate's mgmt interface
DHCP server
What is an interface role for
Defines interface setting typically grouped together WAN LAN DMZ undefined Some Settings will be hidden in the GUI depending on the role
Different deployment modes for firewall
Distributed enterprise Next generation firewall Internal segmentation firewall Data center firewall
When configuring fortigate as a DHCP server to restrict access by MAC address what does the assign IP option do
Dynamically assigned an ip to the MAC address (Reserve will assign a specific ip)
What is the RADIUS protocol used for
Enabled on an interface when fortigate needs to listen for RADIUS packets for SSO authentication
When does fortigate query the FDN and what protocol
Everytime it scans for spam or filtered websites. If queries instead of downloading the database because the size of the DB changes frequently UDP or HTTPS
Importance reminder when upgrading firmware versions
FOLLOW UPGRADE PATH
True or false: security fabric does not support split task Vdom
False it does and will display both the FG-traffic Vdom and root Vdom on the security fabric topology map It must be enabled in global > dashboard > status
True or false. You cannot change the administrative protocols port numbers
False. You should for security
Benefits of fortigate VM
Faster deployment and tear down also may be cheaper if you use cheaper/larger hardware to run the VM on
What is the CAPWAP protocol used for
FortiAP, fortiswitch, and fortiextender
What is FTM in the interface protocols
FortiToken mobile push will support authentication on the interface from FortiToken
What combination of devices must participate in the security fabric
Fortianalyzer and two or more fortigates
What is agent device detection
Forticlient
What is the core of the security fabric
Fortigate and fortianalyzer
Describe the architectural structure of fortigate
Fortigate is a modular design. The hardware is advanced. Special ASIC designed by fortinet and specialized CP and NP CPU chips make fortigate a carrier grade device. It enables you to simplify your network and cut down on the number of needed devices. Sitting on the advanced circuitry is FOrtiOS. Fortigate can operate as a NGWF with antivirus, web filtering, and IPS. It's flexible allowing for a simple operation and can also be a sophisticated NGFW with advanced capabilities such as UTM. It is vendor neutral and also offers subscription services to further advance capabilities and support.
Explain transparent mode
Fortigate is an OSI layer 2 switch Interfaces do not have IP Forwards frames based on MAC and cannot route packets
Explain NAT mode
Fortigate is an OSI layer 3 router Interfaces have IPs Packets are routed by IP
What is SSL certificate inspection
Fortigate uses the SNI to distinguish the hostname of the SSL server which is validated against the DNS. The only security feature that can be applied with this mode is web filtering. It does not inspect encrypted data
What protocol is used when the role LAN or WAN is assigned to an interface
Fortigate will use LLDP to detect if there is an upstream fortigate
What is recommended to be added to the core of the security fabric
Fortimanager FortiAP Fortiswitch Forticlient Fortisandbox Fortimail
Name some security fabric products
Fortinac Forticlient Forti Authenticator FortiAP FortiSwitch Fortigate FortiWPC Fortiweb Fortimail Forticlient FortiEDR FortiAnalyzer FortiSIEM Fortisandbox FortiSOAR FortiManager Fortigate cloud Forticloud
How can fortigate answer DNS queries
Forward- relays requests the configured next server in the DNS settings Non recursive- uses the fortinet DNS DB to resolve queries Recursive- uses the fortigate DNS data base first and then will relay unresolved queries
CLI command to get fortigate status
Get system status
CLI command to see firmware version and GUI path
Get system status System > firmware
What are the management protocols
HTTP HTTPS SSH PING
CP (CP8 and CP9)
High speed content inspection Content processor that accelerates Antivirus Attack detection Encryption and decryption (SSL) Not bound to an interface
What feature prevents an admin from staying logged in indefinitely
Idle timeout feature (it can be overridden under admin profiles)
When do you need to set up a DNS database in the fortigate
If you Choose to have the fortigate DNS server resolve queries
Benefit of hiding features
If you don't use a feature you can disable showing it on the GUI under feature visibility
What is the trusted host feature
It allows you to assign a specific IP or network to an admin profile so only a device with the specified IP is allowed to sign into the profile
How does fortigate check content for spam or malicious websites
Live queries to fortiguard over UDP
Link aggregation
Logically binds interfaces together to form a single channel with great bandwidth (almost like EtherChannel) Network > interfaces > create new > interface > type 802.3ad aggregate
To restore an encrypted configuration to a fortigate what do you need to match
Model Firmware Build number Password
What is the default fortigate mode
NAT
What are the two modes a fortigate can operate in
Nat and transparent
How do you disable or enable administrative protocol access on ports
Network < interfaces Or Set allowaccess <ping> <https> <ssh> <http> <telnet> etc etc
When configuring fortigate as a DNS server which resolution method use the fortigate DNS DB To try and resolve queries
Non recursive
What is Nturbo
Offloads flow based security profile (packet by packet sessions) to the NP4 or NP6 processors (if it's disabled then the CPU handles it)
How to enable the security fabric
On the Root fortigate, security fabric > fabric connectors > enable security fabric connection on the root fortigate interfaces that face any downstream fortigates, configure a fabric name, configure the fortianalyzer IP Configure the downstream devices in the fabric connectors settings 1. Enable security fabric connections and device detection on the interfaces facing downstream FortiGate's 2. Select join existing fabric and add the root (upstream) fortigate IP
When are antivirus and IPS packages downloaded and what transport protocol is used to download them
Once a day using TCP
What is an exception to the rule that every running interface must have an IP address
One arm sniffer which purely receives a copy of processed traffic for logging purposes
NP
Packet processing NP6 (nturbo) Attached to a network interface Network processors that offload processing of high volume network traffic from the CPU
When restoring an encrypted system configuration file in addition to needing the fortigate model and firmware version from the time the configuration file was produced what must you also provide
Password
What port is the built in DHCP server enabled on
Port 1
What port do you plug Your computer into to begin configuration (two answers )
Port one or the internal switch ports on entry level Or the management interface on mid-High end models
What is the console port for on fortigate
Used for CLI access without internet (GUI access). Can be used with a terminal emulator
Agentless device identification and the detection methods
Requires direct connectivity to fortigate Detection methods: HTTP user agent TCP fingerprinting MAC address vendor codes DHCP MWBS Microsoft Windows browser service SIP use agent LLDP SSDP QUIC FORTIOS VM DETECTION
What are the neighbor requirements for a router using EIGRP
Same AS# Common subnet K values need to match in the metric formula
To restore an unencrypted configuration to a fortigate what do you need to match
Same model
SPU and what are the 3 types
Security processing unit Specialized acceleration hardware that can offload resource intensive processing from the main CPU CP- content processor SP- security processor NP- network processor
SP (SP3)
Security processors accelerate IPS for better system performance Bound to an interface
SNI
Server name identification sent during the beginning of SSL handshake that fortigate used to identify the server. Used in SSL certificate inspection
Where can you see how much data is being offloaded to the special processors
Session dashboard widget in GUI shows percentage
CLI command to list attributes for an interface
Show full-configuration system interface <port>
CLI command to show non default attributes for a port
Show system interface <port>
What happens if admin password is lost or reset
Shut fortigate down physically Plug into console port Maintainer account will be available for 60 seconds Password is bcpb<serial-number>
Which admin profile had global fortigate access
Super_admin
What are the two default admin profiles (explain each)
Super_admin - full access cannot be changed and applies to the global fortigate settings Prof_admin - full access applies only to it's VDOM and can be changed
SOC3
System on a chip. Contains the CPU, CPs, NPs and SPs
What port does package update from Fortiguard come in on
TCP 443 (SSL)
As best security practice when configuring administrative access which protocol should be disabled
Telnet
How do you access the CLI
The JavaScript widget in the GUI called CLI console or through a terminal emulator connected through console port
What are fortiguard subscription services
They provide fortigate with up to date threat intelligence from the fortiguard distribution network (FDN)
True or false: configuration back up can be encrypted and produces a hash value
True
True or false: there must be at least 1 static route (default route)
True
An admin tries logging in and receives error "unable to contact server" why?
Trusted host is configured on all admin accounts and user tried signing in on a nontrusted IP
What is two factor authentication
Two forms of identification are required to verify identity and sign int. Can be a digital signature but is usually paired with FortiToken
What is needed to preauthorize the downstream fortigates when configuring the root fortigate for the security fabric
Under the security fabric settings on the root fortigate > allow other fortigate devices to joint > add serial number and device information to the trusted list
What does UTM stand for?
Unified threat management
What direction does the LAN run to the internet and what direction from the physical cabling to the private virtual network
Vertically Horizontal
When would you enable FMG access on an interface
When using fortimanager
Do you need internet for the FDN subscription services
Yes
What are the DHCP IP address assignment rules for
You can assign block or reset an IP for a host. You can also allow only certain MACs a dhcp assignment. You can also reserve IPs for certain MACs
Disadvantage of fortigate VM
You will be using a generic CPU instead of the special fortASIC that is only made by fortinet. Therefore performance will be downgraded